Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberUS7551740 B2
Publication typeGrant
Application numberUS 10/960,278
Publication dateJun 23, 2009
Filing dateOct 8, 2004
Priority dateOct 8, 2003
Fee statusPaid
Also published asCN1630231A, CN100466514C, US20050111657
Publication number10960278, 960278, US 7551740 B2, US 7551740B2, US-B2-7551740, US7551740 B2, US7551740B2
InventorsKyung-Hee Lee, Tae-chul Jung, Evgeny Krouk, Sergey Bezzateev, Evgeny Linsky
Original AssigneeSamsung Electronics Co., Ltd.
Export CitationBiBTeX, EndNote, RefMan
External Links: USPTO, USPTO Assignment, Espacenet
Weighted secret sharing and reconstructing method
US 7551740 B2
Abstract
A weighted secret sharing and reconstructing method includes encoding the secret using a predetermined code, producing voices so that different weights are assigned to errors in an error vector according to locations of the errors, encrypting the encoded secret using the error vector and distributing the encrypted encoded secret to a plurality of participants.
Images(8)
Previous page
Next page
Claims(16)
1. A method of sharing a secret, comprising:
using a computer to perform the operations of:
encoding the secret using a predetermined code;
producing voices so that different weights are assigned to errors in an error vector according to locations of the errors in the error vector; and
encrypting the encoded secret using the error vector and distributing the encrypted encoded secret to a plurality of participants N,
wherein code blocks are determined by a generator polynomial of the predetermined code, and the predetermined code has a codeword which concatenates the code blocks with different lengths together, and wherein the voices are set to assign the different weights to the errors, which correspond to each code block in the error vector, so that different weights are given to errors in an error vector according to locations of the errors,
the error vector e is known to the plurality of participants N, code parameters are selected to make a (K,N) threshold secret sharing scheme realizable, where N= a number of secret shares of the secret distributed to the N participants, N=wt(e) wherein a weight (wt) τi(i=1, 2, 3. . . , N) is given to each secret share si according to a location i in the error vector, as set forth in Equation 1 below:
T = i = 1 N τ i , ( 1 )
(d−1) or less errors are to be corrected, wherein a number of participants required to reconstruct the secret is at least K that satisfies wt(e)−K≦(d−1)/2 or 2K≧2 wt(e)−d+1, a minimum distance is d≦deg g(x)+1 when using Goppa code, and the minimum distance is d≦2(deg g(x))+1 when using binary Goppa codewith a separable Goppa polynomial g(x), wherein for a generalized Goppa code, the minimum distance is estimated using the generalized Goppa code with a Goppa polynomial g(x) and a locator set L, and an arbitrary error set T={t1, t2, . . ., tl} that satisfies following Equation (2) with respect to the respective code blocks a1 (l)a2 (l) . . . an l (l) is corrected:

(deg g(x))/2≧t lτl +t 2τ2 + . . . +t lτl  (2),
wherein t1, t2, . . . , and tl denote numbers of errors contained in the code blocks with lengths of n1, n2, . . . , and nl, respectively, and wherein in a generalized binary Goppa code, (deg g(x))/2 presented in Equation (2) is converted into (2 deg g(x))/2.
2. A method of reconstructing a secret distributed to participants after encoding the secret using an encoded secret, generating voices so that different weights are assigned to errors in an error vector, and encrypting the encoded secret using the error vector, the method comprising:
using a computer to perform the operations of:
determining a number of voices required to decode the code;
selecting a portion of the participants according to the determined number of voices;
collecting the encrypted encodedsecret from the selected portion of the participants; and
reconstructing the secret by decrypting and error-correction decoding the encrypted encoded secret,
wherein the different weights are given to the errors in the error vector e according to locations of the errors,
and using a generalized Goppa code to correct errors, a number of voices allocated to the participants is determined by a degree of a locator, wherein the degree of the locator corresponds to a location j of an error in the error vector e and is known to the participants, a (k,T) or (K,N) weighted secret sharing scheme is realized according to the following: T denotes a total number of voices used in the scheme and is equivalent to a weight given to the error vector e such that T=t1τ1+t2τ2+ . . .+tlτl, wherein ti denotes a number of non-zero values of the error vector e that corresponds to locations of locator polynomials with a degree of τl, N denotes a number of the participants that is equal to a sum of t1, t2, . . . , and tl, k denotes a minimum number of voices required for secret reconstruction that is equal to a sum of t1τ1, t2τ2, . . . , and tlτl, ki denotes a number of participants with voices of τi that is equal to or larger than T−(deg g(x))/2, and in a case of a binary Goppa code with a separable Goppa polynomial, k≧T−(deg g(x)), K denotes a minimum number of participants required for secret reconstruction wherein the minimum number is equal to a sum of k1, k2, . . . , and kl.
3. The method of claim 2, wherein the determined number of voices is a sum of values obtained by summing products obtained by multiplying numbers of participants having the generated voices by corresponding voices, respectively.
4. The method of claim 2, wherein, when a number of errors remaining after the decrypting multiplied by each voice is greater than or equal to a sum of products of each error corresponding to the errors remaining, an error correction decoding is utilized to correct the errors remaining.
5. A method of sharing and reconstructing a secret, comprising:
using a computer to perform the operations of:
encoding the secret using a predetermined code;
generating voices so that different weights are assigned to errors in an error vector according to locations of the errors in the error vector;
encrypting the encoded secret using the error vector and distributing the encrypted encoded secret to participants;
determining a number of voices required to decode the predetermined code;
selecting a portion of the participants by the determined number of voices;
collecting the encrypted encoded secret from the selected portion of the participants; and
reconstructing the secret by decrypting and error-correction decoding the encrypted encoded secret,
wherein code blocks are determined by a generator polynomial of the code, and the encoded secret has a codeword which concatenates the code blocks with different lengths together, and wherein the voices are determined so that different weights are assigned to the errors, which correspond to each code block in the error vector,
the error vector e is known to the participants, code parameters are selected to make a (K,N) threshold secret sharing scheme realizable, where N=a number of secret shares of the secret distributed to the N participants, N=wt(e) wherein a weight (wt) τi(i =1,2, 3 . . . , N) is given to each secret share si according to a location i in the error vector, as set forth in Equation (1) below:
T = i = 1 N τ i , ( 1 )
(d−1) or less errors are to be corrected, wherein a number of participants required to reconstruct the secret is at least K that satisfies wt(e)−K≦(d−1)/2 or 2K≧2 wt(e)−d+1, a minimum distance is d≦deg g(x)+1 when using Goppa code, and the minimum distance is d≦2(deg g(x))+1 when using binary Goppa code with a separable Goppa polynomial g(x), wherein for a generalized Goppa code, the minimum distance is estimated using the generalized Goppa code with a Goppa polynomial g(x) and a locator set L, and an arbitrary error set T={t1, t2, . . . , tl} that satisfies following Equation (2) with respect to the respective code blocks a1 (l)a2 (l). . . an l (l) is corrected:

(deg g(x))/2≧t 1τ1 +t 2τ2 + . . . +t lτl  (2),
wherein t1, t2, . . . , and tl denote numbers of errors contained in the code blocks with lengths of n1, n2, . . . , and nl, respectively, and wherein in a generalized binary Goppa code, (deg g(x))/2 presented in Equation (2) is converted into (2 deg g(x))/2.
6. The method of claim 5, wherein the determined number of voices is a sum of values obtained by summing products obtained by multiplying voices generated, wherein the voices generated are the voices obtained so that different weights are assigned to errors in an error vector according to locations of the errors in the error vector, to correspond to the code blocks by numbers of participants having corresponding voices, respectively.
7. The method of claim 5, wherein a total number of the voices is a sum of values obtained by summing products obtained by multiplying weights assigned to the code blocks, wherein the weights assigned are the different weights that are assigned to errors in an error vector according to locations of the errors in the error vector, and the voices corresponding to the code blocks, respectively.
8. The method of claim 5, wherein the error correction decoding corrects a number of errors when the number of errors is greater than or equal to a sum of products of each error remaining after the decrypting by each voice corresponding to the remaining errors.
9. A computer-readable storage medium having embodied thereon a computer program to share a secret, the computer program executing:
encoding the secret using a predetermined code;
producing voices so that different weights are assigned to errors in an error vector according to locations of the errors in the errors in the error vector; and
encrypting the encoded secret using the error vector and distributing the encrypted encoded secret to a plurality of participants,
wherein code blocks are determined by a generator polynomial of the predetermined code, and the predetermined code has a codeword which concatenates the code blocks with different lengths together, and wherein the voices are set to assign different weights to the errors, which correspond to each code block in the error vector, so that different weights are given to errors in an error vector according to locations of the errors,
the error vector e is known to the plurality of participants, code parameters are selected to make a (K,N) threshold secret sharing scheme realizable, where N=a number of secret shares of the secret distributed to the N participants, N=wt(e) wherein a weight (wt) τi(i=1, 2, 3 . . . , N) is given to each secret share si according to a location i in the error vector, as set forth in Equation (1) below:
T = i = 1 N τ i , ( 1 )
(d−1) or less errors are to be corrected, wherein a number of participants required to reconstruct the secret is at least K that satisfies wt(e)−K≦(d−1)/2 or 2K≧2 wt(e)−d+1, a minimum distance is d≦deg g(x)+1 when using Goppa code, and the minimum distance is d≦2(deg g(x))+1 when using binary Goppa code with a separable Goppa polynomial g(x), wherein for a generalized Goppa code, the minimum distance is estimated using the generalized Goppa code with a Goppa polynomial g(x) and a locator set L, and an arbitrary error set T={t1, t2, . . . , tl} that satisfies following Equation (2) with respect to the respective code blocks a1 (l)a2 (l) . . . an l (l) is corrected:

(deg g(x))/2≧t 1τ1 +t 2τ2 + . . . +t lτl  (2),
wherein t1, t2, . . . , and tl denote numbers of errors contained in the code blocks with lengths of n1, n2, . . . , and nl, respectively, and wherein in a generalized binary Goppa code, (deg g(x))/2 presented in Equation (2) is converted into (2 deg g(x))/2.
10. A computer-readable storage medium having embodied thereon a computer program to reconstruct a secret distributed to participants after encoding the secret using an encoded secret, generating voices so that different weights are assigned to errors in an error vector, and encrypting the encoded secret using the error vector, the computer program executing:
determining a number of voices required to decode the code;
selecting a portion of the participants according to the determined number of voices;
collecting the encrypted encoded secret from the selected portion of the participants; and
reconstructing the secret by decrypting and error-correction decoding the encrypted encoded secret,
wherein the different weights are given to the errors in the error vector according to locations of the errors,
and using a generalized Goppa code to correct errors, a number of voices allocated to the participants is determined by a degree of a locator, wherein the degree of the locator corresponds to a location j of an error in the error vector e and is known to the participants, a (k,T) or (K,N) weighted secret sharing scheme is realized according to the following: T denotes a total number of voices used in the scheme and is equivalent to a weight given to the error vector e such that T=t1τ1+t2τ2+ . . . +tlτl, wherein ti denotes a number of non-zero values of the error vector e that corresponds to locations of locator polynomials with a degree of τ1, N denotes a number of the participants that is equal to a sum of t1, t2, . . . , and tl, k denotes a minimum number of voices required for secret reconstruction that is equal to a sum of t1τ1, t2τ2, . . . , and tlτl, ki denotes a number of participants with voices of τi that is equal to or larger than T−(deg g(x))/2, and in a case of a binary Goppa code with a separable Goppa polynomial, k≧T−(deg g(x)), K denotes a minimum number of participants required for secret reconstruction wherein the minimum number is equal to a sum of k1, k2, . . . , and kl.
11. The computer-readable storage medium of claim 10, wherein the determined number of voices is a sum of values obtained by summing products obtained by multiplying numbers of participants having the generated voices by the corresponding voices, respectively.
12. The computer-readable storage medium of claim 10, wherein the error correction decoding corrects a number of errors when the number of errors is greater than or equal to a sum of products of each error remaining after the decrypting multiplied by each voice corresponding to the remaining errors.
13. A computer-readable storage medium having embodied thereon a computer program to share and reconstruct a secret, the computer program executing:
encoding the secret using a predetermined code;
generating voices so that different weights are assigned to errors in an error vector according to locations of the errors in the error vector;
encrypting the encoded secret using the error vector and distributing the encrypted encoded secret to participants;
determining a number of voices required to decode the predetermined code;
selecting a portion of the participants by the determined number of voices;
collecting the encrypted encoded secret from the selected portion of the participants; and
reconstructing the secret by decrypting and error-correction decoding the encrypted encoded secret,
wherein code blocks are determined by a generator polynomial of the code, and the encoded secret has a codeword which concatenates the code blocks with different lengths together, and wherein the voices are determined so that different weights are assigned to the errors, which correspond to each code block in the error vector so that different weights are assigned to the errors, which correspond to each code block in the error vector,
the error vector e is known to the participants, code parameters are selected to make a (K,N) threshold secret sharing scheme realizable, where N= a number of secret shares of the secret distributed to the N participants, N=wt(e) wherein a weight (wt) τi(i=1, 2, 3 . . . , N) is given to each secret share si according to a location i in the error vector, as set forth in Equation (1) below:
T = i = 1 N τ i , ( 1 )
(d−1) or less errors are to be corrected, wherein a number of participants required to reconstruct the secret is at least K that satisfies wt(e)−K≦(d−1)/2 or 2K≧2 wt(e)−d+1, a minimum distance is d≦deg g(x)+1 when using Goppa code, and the minimum distance is d≦2(deg g(x))+1 when using binary Goppa code with a separable Goppa polynomial g(x), wherein for a generalized Goppa code, the minimum distance is estimated using the generalized Goppa code with a Goppa polynomial g(x) and a locator set L, and an arbitrary error set T={t1, t2, . . . , tl} that satisfies following Equation (2) with respect to the respective code blocks a1 (l)a2 (l) . . . an l (l) is corrected:

(deg g(x))/2≧t 1τ1 +t 2τ2 + . . . +t lτl  (2),
wherein t1, t2, . . . , and tl denote numbers of errors contained in the code blocks with lengths of n1, n2, . . . , and nl, respectively, and wherein in a generalized binary Goppa code, (deg g(x))/2 presented in Equation (2) is converted into (2 deg g(x))/2.
14. The computer-readable storage medium of claim 13, wherein the determined number of voices is a sum of values obtained by summing products obtained by multiplying voices generated”, wherein the voices generated are the voices obtained so that different weights are assigned to errors in an error vector according to locations of the errors in the error vector,” to correspond to code blocks by numbers of participants having corresponding voices, respectively.
15. The computer-readable storage medium of claim 13, wherein a total number of the voices is a sum of values obtained by summing products obtained by multiplying weights assigned to the code blocks and the voices corresponding to code blocks, respectively.
16. The computer-readable storage medium of claim 13, wherein, when a number of errors remaining after the decrypting multiplied by each voice is greater than or equal to a sum of products of each error corresponding to the errors remaining, an error correction decoding is utilized to correct the errors remaining.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the priority of Korean Patent Application No. 2003-70026 filed on Oct. 8, 2003 in the Korean Intellectual Property Office, the disclosure of which is incorporated herein in its entirety by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a weighted secret sharing and reconstructing method, and more particularly, to a method of sharing and reconstructing a secret using a weighted error vector.

2. Description of the Related Art

When there are a set R of N participants and a set L of subsets of the N participants, a threshold secret sharing scheme distributes shares of a secret to the N participants and allows the secret to be reconstructed when subsets of participants belong to the set L.

An ideal threshold secret sharing scheme has the following characteristics: (i) all participants must take part in key agreement of the set R; (ii) a master private key of the set R is not disclosed to all the participants; (iii) at least a predetermined number (i.e., a threshold) of participants must participate in a process of decrypting a message encrypted by the master private key; (iv) at least a predetermined number (i.e., a threshold) of participants must participate in a signature procedure of the message using the master private key; (v) after setting the scheme, the process of decryption or signature of the message by the participants whose subsets belong to the set L is non-interactive; and (vi) the master private key or a public key shall not be changed even when a new participant is included in the set R or a participant belonging to the set R leaves the set R.

A (k,N) threshold secret sharing scheme is another example of the threshold secret sharing scheme. The (k,N) threshold secret sharing scheme allows a secret to be reconstructed when k of N dispersed secret shares are collected. FIG. 1 illustrates a a conventional (k,N) threshold secret sharing scheme. Referring to FIG. 1, a secret 10 is divided into secret shares with equal importance and distributed to N participants 11. The secret 10 is reconstructed by collecting the secret shares of at least three of the N participants, combining them (see reference numeral 12), and reconstructing a secret 13.

However, the (k,N) threshold secret sharing scheme is disadvantageous in that at least k secret shares are required to reconstruct a secret since N secret shares with equal importance are distributed to N participants. For instance, it is impossible to completely reconstruct the secret when (k−1) secret shares are collected and combined.

Alternatively, a hierarchical threshold secret sharing scheme, which is yet another example of the threshold secret sharing scheme and allows each level of a multi-level structure to share a secret, needs to give a hierarchical grant to a participant who desires to access the multi-level structure.

SUMMARY OF THE INVENTION

The present invention provides a weighted secret sharing and reconstructing method in which secret shares with different weights are distributed to participants, so that a secret may be completely reconstructed even when (k−1) secret shares are collected and combined.

According to an aspect of the present invention, a method of sharing a secret, includes encoding the secret using a predetermined code, producing voices so that different weights are given to errors in an error vector according to locations of the errors, encrypting the code using the error vector, and distributing a result of encryption to a plurality of participants.

According to another aspect of the present invention, a method reconstructs a secret distributed to participants after encoding the secret using a predetermined code, generating voices so that different weights are given to errors in an error vector according to locations of the errors, and encrypting the code using the error vector. The method includes determining a number of voices required to decode the code, selecting a part of participants according to the determined number of voices, collecting the secret from the selected participants, and reconstructing the secret by decrypting and error-correction decoding the secret.

According to yet another aspect of the present invention, a method of sharing and reconstructing a secret includes encoding the secret using a predetermined code, producing voices so that different weights are given to errors in an error vector according to locations of the errors, encrypting the code using the error vector and distributing a result of encrypting to participants; determining a number of voices required to decode the code; selecting parts of the participants by the determined number of voices; collecting the secret from the selected participants, and reconstructing the secret by decrypting and error-correction decoding the secret.

Additional aspects and/or advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

These and/or other aspects and advantages of the invention will become apparent and more readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:

FIG. 1 is a schematic representation of a conventional (k,N) threshold secret sharing scheme;

FIG. 2 is a schematic representation of a (K,N) weighted threshold secret sharing method according to an embodiment of the present invention;

FIG. 3 is a flowchart illustrating a method of sharing and reconstructing a secret, according to an embodiment of the present invention;

FIG. 4 is a schematic representation illustrating a method of encrypting a secret in accordance with an embodiment of the present invention when a weight enabling error correction is 3;

FIG. 5 is a schematic representation illustrating a method of collecting shares of a secret from three participants whose voices are 1, respectively, and reconstructing the secret, according to an embodiment of the present invention;

FIG. 6 is a schematic representation illustrating a method of collecting shares of a secret from two participants whose voices are 1 and 2, respectively, and reconstructing the secret, according to an embodiment of the present invention;

FIG. 7 is a schematic representation illustrating a process of collecting shares of a secret from two participants whose voices are 1, respectively, and attempting to reconstruct the secret, according to an embodiment of the present invention, with a result of decrypting the secret and obtaining two errors with a voice of 1 and an error with a voice of 2.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Reference will now be made in detail to the embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the like elements throughout. The embodiments are described below to explain the present invention by referring to the figures.

FIG. 2 is a schematic representation of a (K,N) weighted threshold sharing and distributing method according to an embodiment of the present invention. Referring to FIG. 2, a secret 20 is divided into secret shares with different weights and distributed to N participants 21. The secret 20 is reconstructed as a secret 23 either by collecting secret shares from two participants of the N participants 21, wherein one the participants has a weighted secret share, and combining the collected secret shares 22 or by collecting non-weighted secret shares from three participants and combining the collected secret shares 22.

More specifically, a secret S is divided into N secret shares, and the N secret shares are distributed to N participants who are interlinked via a channel, respectively. The secret S is encrypted using an error vector e and distributed, according to the McEliece technique.

Every participant may access the secret S. A weight (wt) τi (i=1, 2, 3 . . . , N) is given to a secret share si according to a location i in the error vector.

T = i = 1 N τ i , ( 1 )
wherein T denotes a total of weights given to the error vector.

According to the McEliece technique, when one of participants who receives the secret shares desires to reconstruct the secret S, the participant reconstructs the secret S using his/her secret share and (K−1) secret shares. In this case, weights given to the secret shares may be expressed as follows:

i = 1 N τ i k , ( 2 )
wherein k denotes a minimum number of secret shares required to reconstruct the secret S.

To reconstruct the secret S, one of the N participants collects (K−1) encrypted secret shares from K−1 participants via a public communication channel. Next, the participant reconstructs the secret S by combining his/her secret share with the collected (K−1) secret shares and decrypting a result of the combination.

To encrypt and decrypt the secret S, the present invention uses a generalized Goppa code. The q-ary generalized Goppa code with a length n is defined by an n-type vector α=(α1α2 . . . αn) as follows:

i = 1 n a i V i ( x ) U i ( x ) 0 mod g ( x ) , ( 3 )
wherein ai∈GF(q), a locator set

L = { V i ( x ) U i ( x ) } i = 1 n
wherein Vi(x) and Ui(x) are polynomials over GF(qm). Here, GCD(Ui(x), Vi(x))=1, deg Vi(x)<deg Ui(x), and GCD(Ui(x), Ui(x))=1 for all i≠j. GCD denotes a greatest common measure, deg denotes a greatest degree of a polynomial, and g(x) denotes a Goppa polynomial over GF(qm), satisfying GCD((Ui(x), g(x))=1 for i that ranges from 1 to n.

The generalized (L,g) Goppa code has a minimum distance of d0≧d when d satisfies following Equation (4):
deg g(x)>(d−2)r+s  (4),
wherein r=deg Ui(x) and s=deg Vi(x).

In the generalized Goppa code for enabling error correction, a locator set L may be determined with respect to the Goppa polynomial G(x), as follows:

L = U j = 1 l { R i ( j ) } i = 1 n j , n = j = 1 l n j , ( 5 )
wherein Ri (j) is a rational function and may be expressed as follows:
R i {j} =V i (j)(x)/U i (j)(x)  (6),
wherein deg Vi (j)(x)=ri, deg Ui (j)(x)=τi, and (Vi (j)(x), Ur (k)(x))=1 with respect to arbitrary values i, j, k, and r.

If a vector a=(a1 (1)a2 (1) . . . an 1 (1)a1 (2)a2 (2) . . . an 2 (2)a1 (1)a2 (1) . . . an l (1)) is a codeword of the generalized (L,g) Goppa code with a length of n=n1+n2+ . . . +nl, the Goppa polynomial g(x) and locator set L must satisfy following Equation (7):

i = 1 l i = 1 n j a i ( j ) V i j ( x ) U i ( j ) ( x ) 0 mod g ( x ) , ( 7 )

For the generalized Goppa code, it is possible to estimate its minimum distance. Using the generalized Goppa code with the Goppa polynomial g(x) and the locator set L, it is possible to correct an arbitrary error set T={t1, t2, . . . , tl} that satisfies following Equation (8) with respect to the respective code blocks a1 (1)a2 (1) . . . an l (1):
(deg g(x))/2≧t 1τ1 +t 2τ2 + . . . +t lτl  (8),
wherein t1, t2, . . . , and tl denote numbers of errors contained in the code blocks with lengths of n1, n2, . . . , and nl, respectively.

In the case of a generalized binary Goppa code, (deg g(x))/2 presented in Equation (8) is converted into (2 deg g(x))/2.

It is assumed that there is generalized Goppa code of (36, 18, 7) where n1=8, n2=28 and the Goppa polynomial is g(x)=x6+x+α3, if α∈GF(23).

In connection with the code block of the length n1, we will use a function of first degree as follows:
U i {1}=1/(x−α i), i=1, . . . , n 1, αi ∈GF(23), α8=0  (9)

In connection with the code block of the length n2, we will use second-degree polynomials, which are irreducible over GF (23), with coefficients belonging to GF(23), as follows:
{U1i (2)(x), U2i (2)(x), U3i (2), U4i (2)(x)}i=1, . . . , 7  (10),
where U1i (2)(x)=(αix)25ix)+α3, U2i (2)(x)=(αix)25ix)+α4, U3i (2)(x)=(αix)26ix)+α9, and U4i (2)(x)=(αix)231x)+α.

d≧7 is obtained by Equation (4) and the binary generalized Goppa code allows correction of an error set T={t1, t2} that satisfies (2deg g(x))/2≧t1+2t2. Ranges of t1 and t2 are shown in Table 1.

TABLE 1
N1 = 8 N2 = 28 total length n = 36
t1 t2 total number of correctable errors t
0 ≦3 ≦3
≦2 ≦2 ≦4
≦4 ≦1 ≦5
≦6 0 ≦6

When the generalized Goppa code has a locator set of a third degree polynomial, it is possible to correct an error set T={t1, t2, t3} that satisfies (2deg g(x))/2≧t1+2t2+3t3, using the generalized Goppa code with a length of n=n1+n2+n3.

A threshold secret sharing method adopting using a public key scheme, according to the present invention, may be realized using the Goppa code. In the method, an error vector e is known to all participants. Also, by properly selecting code parameters, the (K,N) threshold secret sharing scheme is realizable, where N=wt(e). Error correcting code may allow (d−1) or less errors to be corrected. Accordingly, a number of participants required to reconstruct a secret is at least K that satisfies wt(e)−K (d−1)/2, i.e., 2K 2 wt(e)−d+1. The minimum distance is d≦deg g(x)+1 when using Goppa code, and the minimum distance is d≦2(deg g(x))+1 when using binary Goppa code with a separable Goppa polynomial g(x).

There may be a situation in which some of the participants who are taking part in secret decryption provide wrong values of their secret shares. For instance, when k1 participants provide correct values of their secret shares, and k2 participants provide wrong values of their secret shares, this situation may be expressed as follows:
wt(e)−k 1 +k 2≦(d−1)/2
2k 1−2k 2≧2wt(e)−d+1  (11)

The above scheme may be generalized for a case wherein participants have different numbers of voices. Here, a voice is differentiated from a share, and a plurality of voices may be allocated to a secret share.

For instance, when using the generalized Goppa code for correcting errors, a number of voices allocated to the participants may be determined by the degree of a locator. The degree of the locator corresponds to a location j of an error in the error vector e and is known to the participants. In a case of using the generalized Goppa code, the (k,T) or (K,N) weighted secret sharing scheme may be realized according to the following conditions.

In the (k,T) or (K,N) weighted secret sharing scheme, T denotes a total number of voices used in the scheme and is equivalent to a weight given to the error vector e. That is, T=t1τ1+t2τ2+ . . . +tlτl. Here, ti denotes a number of non-zero values of the error vector e that corresponds to locations of locator polynomials with a degree of τl. N denotes a number of the participants that is equal to a sum of t1, t2, . . . , and tl. k denotes a minimum number of voices required for secret reconstruction that is equal to a sum of t1τ1, t2τ2, . . . , and tlτl. ki denotes a number of participants with voices of τi that is equal to or larger than T−(deg g(x))/2. In the case of the binary Goppa code with a separable Goppa polynomial, k T−(deg g(x)). K denotes a minimum number of participants required for secret reconstruction wherein the minimum number is equal to a sum of k1, k2, . . . , and kl.

Hence, according to an embodiment of the present invention, k voices, rather than k secret shares, are required to reconstruct a secret, and participants may have different numbers of voices. A size of a secret share is not related to a weight or a number of voices.

FIG. 3 is a flowchart illustrating a method of sharing and reconstructing a secret according to an embodiment of the present invention. Referring to FIG. 3, the secret is encoded using an error correcting code, preferably, the generalized Goppa code (operation 30). Then, code in which a plurality of code blocks with different lengths are concatenated together, similarly to code blocks determined by a locator set of the generalized Goppa code, is obtained. Next, voices are produced for error locations of error vectors which correspond to the respective code blocks (operation 31). The error vectors have different voices according to the error locations of errors in the code blocks obtained in operation 30. For instance, when a length n of the code obtained in operation 30 is a sum of n1 and n2, a voice of 1 is allocated to errors corresponding to n1 in error vectors and a voice of 2 is allocated to errors corresponding to n2 in error vectors. The error vectors are then added to the code obtained in operation 30, and the result of addition is encrypted. The result of encryption is distributed to N participants (operation 32). Here, N=wt(e).

To reconstruct the secret, a number (k, T) of voices required to decode the secret is determined (operation 33). Next, a number ki of participants is determined by the number (k, T) of voices (operation 34). For instance, if (k, T) is (5, 11), t1=7 and t2=2 when N=9. Thus, (k1, k2) may be one of (1,2), (3,1), and (5,0) since k1+2k2=k. Each combination of (1,2), (3,1), and (5,0) corresponds to (K=3, N=9), (K=4, N=9), and (K=5, N=9), respectively.

After determining the number ki of participants, the secret is reconstructed by collecting secret shares from the number ki of participants (operation 35), and decrypting and error-correcting decoding the collected secret shares (operation 36).

FIGS. 4 through 7 are schematic representations illustrating weighted secret sharing and reconstructing methods according to embodiments of the present invention.

In detail, FIG. 4 illustrates a method of encrypting a secret when a weight for error correction is set to 3. It is assumed that a left codebook outlined with a thick line indicates a code block when a voice is 1, and a right codebook outline with a thick line indicates a code block when a voice is 2. In FIG. 4, a, e, and b represent results of encoding the secret, an error vector, and a result of encrypting the secret.

FIG. 5 illustrates a method of restoring a secret from three participants who each hold a voice, respectively, and reconstructing the secret, according to an embodiment of the present invention. Referring to FIG. 5, a result c of decrypting the secret collected from the three participants contains an error with a voice of 1 and an error with a voice of 2. Next, the secret may be reconstructed by decoding the result c using an error correction and decoding algorithm.

FIG. 6 illustrates a method of restoring a secret from two participants who hold a voice of 1 and a voice of 2, respectively, and reconstructing the secret, according to an embodiment of the present invention. Referring to FIG. 6, a result c of decrypting the secret collected from the two participants contains three errors with a voice of 1. The secret may be reconstructed by decoding the result c using an error correction and decoding algorithm.

FIG. 7 illustrates a method of collecting a secret from two participants who each have a voice of 1, and attempting to reconstruct the secret, according to an embodiment of the present invention. Referring to FIG. 7, a result c of decrypting the secret collected from the two participants contains two errors with a voice of 1 and an error with a voice of 2. In this case, since a total weight of voices equals 4, which exceeds a weight of 3, which is a highest total number that would enable error correction, the secret may not be reconstructed using the error correction and decoding algorithm of the present invention. In other words, the secret may be reconstructed using the present invention only when a number of correctable errors is equal to, or larger than, a weight of errors reflecting the voices.

The present invention may be embodied as a program stored on a computer readable medium that can be run on a general computer. Here, the computer readable medium includes, but is not limited to, storage media such as magnetic storage media (e.g., ROM's, floppy disks, hard disks, and the like), optically readable media (e.g., CD-ROMs, DVDs, etc.), and carrier waves (e.g., transmission over the Internet). The present invention may also be embodied as a computer readable program code unit stored on a computer readable medium, for causing a number of computer systems connected via a network to affect distributed processing.

As described above, according to the present invention, a scheme may be realized wherein a weight of secret share does not depend on its size by using an error correcting code with an unequal error correction capability. Further, a weighted secret sharing scheme according to the present invention provides a constructive method to utilize parameters of a (K, N) weighted secret sharing scheme to share and reconstruct a secret.

Although a few embodiments of the present invention have been shown and described, it would be appreciated by those skilled in the art that changes may be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the claims and their equivalents.

Patent Citations
Cited PatentFiling datePublication dateApplicantTitle
US4682333 *Jun 24, 1985Jul 21, 1987Mitsubishi Denki Kabushiki KaishaDecoder for decoding a two-stage encoded code
US5987129 *Feb 21, 1997Nov 16, 1999Card Call Service Co., Ltd.Method of sharing cryptokey
US6173400 *Jul 31, 1998Jan 9, 2001Sun Microsystems, Inc.Methods and systems for establishing a shared secret using an authentication token
US6625775 *Dec 10, 1999Sep 23, 2003Samsung Electronics Co., Ltd.Encoder/decoder with serial concatenated structure in communication system
US6707397 *Oct 24, 2002Mar 16, 2004Apple Computer, Inc.Methods and apparatus for variable length codeword concatenation
US20020164033 *May 11, 2001Nov 7, 2002Sanguthevar RajasekaranEfficient techniques for sharing a secret
US20030147535 *Jan 29, 2002Aug 7, 2003Mehrdad NadooshanMethod and apparatus for secure key management using multi-threshold secret sharing
US20030233573 *Jun 17, 2003Dec 18, 2003Phinney Thomas L.System and method for securing network communications
US20040001605 *Jun 28, 2002Jan 1, 2004Ramarathnam VenkatesanWatermarking via quantization of statistics of overlapping regions
JP2002140631A Title not available
Non-Patent Citations
Reference
1Bezzateev et al., "Generalized Goppa codes for correcting localized errors", Cambridge, MA, USA, Aug. 16-21, 1998 (1 pg) (in English).
2 *Roth, R.M., Siegel, P.H., "Lee-metric BCH codes and their application to constrained and partial-response channels," IEEE Transactions Information Theory. vol. 40, No. 4, pp. 1083-1096, Jul. 1994.
3Shigeo et al., "Cryptogram and Information Security", Shokodo Co., Ltd., pp. 125-126, 1990 (3 pgs).
4 *Wu, X.-W., Kuijper, M., and Udaya, P., "Lower bound on minimum Lee distance of algebraic-geometric codes over finite fields," Electronic Letters, vol. 43, No. 15, pp. 820-821, Jul. 19, 2007.
Referenced by
Citing PatentFiling datePublication dateApplicantTitle
US7873168 *Oct 16, 2007Jan 18, 2011Kabushiki Kaisha ToshibaSecret information management apparatus and secret information management system
US8059816 *May 3, 2006Nov 15, 2011Temple University Of The Commonwealth System Of Higher EducationSecret sharing technique with low overhead information content
US20120020476 *Mar 26, 2010Jan 26, 2012France TelecomMethod for Performing a Cryptographic Task in an Electronic Hardware Component
Legal Events
DateCodeEventDescription
Nov 26, 2012FPAYFee payment
Year of fee payment: 4
Nov 3, 2009CCCertificate of correction
Feb 20, 2009ASAssignment
Owner name: SAMSUNG ELECTRONICS CO., LTD., KOREA, REPUBLIC OF
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LEE, KYUNG-HEE;JUNG, TAE-CHUL;KROUK, EVGENY;AND OTHERS;REEL/FRAME:022313/0531;SIGNING DATES FROM 20050112 TO 20050117